C&C Global, Inc

Data Protection and Privacy Policy

Effective Date: 3 October 2019

1. Introduction

C&C Global, Inc (“the Company”) recognizes the importance of privacy and is committed to protecting the personal information of its stakeholders, clients, employees, and any individuals it interacts with. This Data Protection and Privacy Policy (“Policy”) establishes the guiding principles for collecting, processing, storing, and disclosing personal data within the Company.

2. Scope

This Policy applies to all personal data processed by the Company, regardless of whether the data is stored electronically, on paper, or other materials. It covers all areas of operation and includes all staff, contractors, and third parties who may handle personal data.

3. Data Collection and Use

3.1 Principles of Data Collection

The Company collects personal data based on the principles of legality, fairness, and transparency. We ensure that any data collected is:

• Processed lawfully, fairly, and in a transparent manner.
• Collected for specified, explicit, and legitimate purposes.
• Adequate, relevant, and limited to what is necessary.
• Accurate and kept up to date.
• Retained only for as long as necessary.
• Processed in a manner that ensures appropriate security.

3.2 Purposes for Processing

The Company processes personal data for purposes such as:

• Provision of services and fulfillment of contractual obligations.
• Compliance with legal and regulatory requirements.
• Human resources management.
• Customer support and communication.
• Marketing and business development.

3.3 Consent

Where necessary, the Company obtains explicit consent for the processing of personal data. Individuals have the right to withdraw consent at any time.

4. Information Provision

4.1 Privacy Notices

When personal data is collected, individuals will be provided with a privacy notice containing the following information:

• The identity and contact details of the Company and the Data Protection Officer.
• The purpose and legal basis for processing.
• The legitimate interests pursued by the Company.
• Recipients or categories of recipients of the personal data.
• Information about data transfers to third countries and safeguards in place.
• The period for which the data will be stored.
• The existence of the data subject’s rights.
• The right to withdraw consent at any time, where relevant.
• The right to lodge a complaint with a supervisory authority.
• Whether the provision of personal data is a statutory or contractual requirement.

4.2 Example of Privacy Notice Clause

“Your privacy is important to us. As part of our commitment to respecting your privacy, we provide this notice explaining our information practices and the choices you can make about the way your information is collected and used. By engaging with our services, you agree to the use of your data in accordance with this notice.”

5. Data Subject Rights

The Company ensures that individuals can exercise their rights, including:

• Access: Individuals may request access to their personal data.
• Rectification: Individuals can have inaccurate personal data rectified.
• Erasure: Also known as the “right to be forgotten,” allows individuals to have personal data erased.
• Restriction: Individuals can restrict processing of their personal data.
• Data Portability: Individuals can receive their data or have it transferred to another controller.
• Object: Individuals can object to the processing of their personal data.
• Rights related to automated decision-making including profiling: Individuals have the right not to be subject to decisions based solely on automated processing.

6. Processing Data Subject Requests

The Company acknowledges the importance of timely response to data subject requests. We have implemented procedures to:

• Confirm the identity of the individual making the request to prevent unauthorized access.
• Respond to the requests without undue delay and in any event within one month of receipt of the request.
• Extend the time to respond by a further two months if necessary, taking into account the complexity and number of requests.

7. Data Access and Authorization Control

Access to personal data within the Company is governed by the following controls:

• Role-based access control (RBAC) ensures that only authorized personnel can access personal data as necessary for their role.
• Access rights are reviewed and updated in response to personnel changes or role modifications.
• Audit trails for access and modifications to personal data are maintained.

8. Data Security

The Company employs a range of security measures to protect personal data, including:

• Encryption of data in transit and at rest.
• Secure data storage facilities and data centers.
• Implementation of network and application-level security controls.
• Regular security assessments and penetration testing.
• Incident response and data breach notification procedures.

9. Training and Awareness

All employees, contractors, and third parties who have access to personal data are required to complete data protection training. This training is part of the onboarding process and is refreshed as required by changes in legislation or Company processes.

10. Compliance and Review

The Data Protection Officer (DPO) is responsible for overseeing compliance with this policy and with relevant data protection legislation. Regular audits will be conducted to ensure that the Company’s data handling practices remain compliant and that any corrective actions are taken promptly.

11. Changes to this Policy

This Policy may be updated to reflect changes in legal or regulatory obligations, or in the way we process personal data. Any changes will be communicated to all staff and relevant stakeholders.

12. Contact Us

For further information about this Policy or to exercise any data-related rights, please contact our Data Protection Officer (DPO) at:

João L. Carapinha

1950 W. Corporate Way PMB 95478,
Anaheim, CA 92801
United States of America

Tel: +1 617 219 9400
Email:  company (at) syenza (dot) com